Kelihos and Waledac- Separated at Birth?

In another instance of malware utilizing holiday-themed spam emails, our researchers had the opportunity to review in detail the threat we call Backdoor:Win32/Kelihos.A. An interesting aspect to this threat is its use of fast-flux in much the same way as the Win32/Waledac family. This similarity is not a coincidence. Analysis of Kelihos shows large portions of the code of Kelihos are shared with Waledac suggesting it is either from the same parties or that the code was obtained, updated and reused.

Still, based on our analysis, we have classified this as a new family and not a variant of Waledac. It is important to note that this new family is not communicating with nor is it reactivating the original Waledac which had its command and control infrastructure neutralized last year. We are actively monitoring this emerging malware in cooperation with industry and academic partners who were previously involved in Operation b49.
Microsoft Malware Protection Center

Comments (0)

Skip to main content